During the Amsterdam F2F, I took on an action to update the text on
minimization so that it refers to data collected per context rather
than the party nature of the collector, since minimization is applied
long after the interaction in which a given server might have been
a first or third party.
The WD text said
6.1.2.2 Data Minimization and Transparency
A third party MUST ONLY retain information for a Permitted Use for as long
as is reasonably necessary for that use. Third parties MUST make
reasonable data minimization efforts to ensure that only the data
necessary for the permitted use is retained. A third party MUST provide
public transparency of their data retention period. The third party MAY
enumerate each individually if they vary across Permitted Uses. Once the
period of time for which you have declared data retention for a given use,
the data MUST NOT be used for that permitted use. After there are no
remaining Permitted Uses for given data, the data must be deleted or
rendered unlinkable.
but appears to have been updated since then to say
6.1.1.2 Data Minimization and Transparency
Data retained by a party for permitted uses MUST be limited to the
data reasonably necessary for such permitted uses, and MUST be
retained no longer than is reasonably necessary for such permitted
uses. Third parties MUST make reasonable data minimization efforts
to ensure that only the data necessary for the permitted use is
retained. A third party MUST provide public transparency of their
data retention period. The third party MAY enumerate each individually
if they vary across Permitted Uses. Once the period of time for which
you have declared data retention for a given use has expired, the
data MUST NOT be used for that permitted use. After there are no
remaining Permitted Uses for given data, the data must be deleted
or rendered unlinkable.
However, now that I've had sufficient sleep and can see that this
section is inside third-party compliance, I believe that the change
to the first sentence is sufficient to cover my concern. Thanks!
But, while I am here, I suggest the paragraph be tweaked as follows
for consistency:
Data retained by a party for permitted uses MUST be limited to the
data reasonably necessary for such permitted uses, and MUST be
retained no longer than is reasonably necessary for such permitted
uses. A third party MUST make reasonable data minimization efforts
to ensure that only data necessary for each permitted use is
retained. A third party MUST provide public transparency of their
data retention period for each permitted use. Once a retention
period for a given use has expired, the data MUST NOT be used for
that permitted use; when there are no remaining permitted uses for
some data, that data MUST either be deleted or rendered unlinkable.
Cheers,
....Roy